flat assembler
Message board for the users of flat assembler.

Index > Windows > kernel-mode driver for hooking SDT, _basic_ example

Author
Thread Post new topic Reply to topic
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 09 Sep 2006, 21:19
Nothing new, just had laying on HD and RG was interested, havent seen one in fasm tho...
Next step to do would be adding hooking of USEFULL api's Twisted Evil
Have fun...


Description: everyone who has any doubt on binaries I provided, I suggest compiling .sys, and getting(or using other tool to load driver) KmdManager that comes along masm-ddk by Four-F, wasm.ru has the package I think.
Download
Filename: RoKi.rar
Filesize: 14.34 KB
Downloaded: 617 Time(s)


_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 09 Sep 2006, 21:19
View user's profile Send private message MSN Messenger Reply with quote
RedGhost



Joined: 18 May 2005
Posts: 443
Location: BC, Canada
RedGhost 10 Sep 2006, 06:02
I will research this further. You also have very clear code, not crazy about the hungarian notation though Smile.

Maybe someone should convert the DDK to fasm.

Thanks.

_________________
redghost.ca
Post 10 Sep 2006, 06:02
View user's profile Send private message AIM Address MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 10 Sep 2006, 07:15
could you post direct link to that KMD-manager?
Post 10 Sep 2006, 07:15
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Mr_Silent



Joined: 25 Apr 2006
Posts: 30
Mr_Silent 10 Sep 2006, 07:31
Post 10 Sep 2006, 07:31
View user's profile Send private message Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 28 Sep 2007, 18:58
I think i found a bug in code:
Code:
        mov     dword [eax+DRIVER_OBJECT.MajorFunction+IRP_MJ_CREATE], DispatchCreateClose              ;driverobject+038h
        mov     dword [eax+DRIVER_OBJECT.MajorFunction+IRP_MJ_CLOSE], DispatchCreateClose               ;driverobject+040h
        mov     dword [eax+DRIVER_OBJECT.MajorFunction+IRP_MJ_DEVICE_CONTROL], DispatchCreateClose      ;driverobject+070h
    

IRP_MJ_CREATE, IRP_MJ_CLOSE, IRP_MJ_DEVICE_CONTROL are just indexes in array of procs tus they should be multiplied by 4 to get addresses.
The correct code should be imo like this
Code:
        mov     dword [eax+DRIVER_OBJECT.MajorFunction+IRP_MJ_CREATE*4], DispatchCreateClose              ;driverobject+038h
        mov     dword [eax+DRIVER_OBJECT.MajorFunction+IRP_MJ_CLOSE*4], DispatchCreateClose               ;driverobject+040h
    

_________________
Any offers?
Post 28 Sep 2007, 18:58
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.